b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n      National Institute of Standards\n                     and Technology\n\n       FY 2009 FISMA Assessment of\nManufacturing Engineering Laboratory\n              Managed Infrastructure\n                       (NIST 820-01)\n\n\n     Final Inspection Report No. OSE-19511/August 2009\n\n\n\n\n                             Office of Audit and Evaluation\n\x0c                                           UNITED STATES DEPARTMENT OF COMMERCE\n                                           Office of Inspector General\n                                           Washington 0 C 20230\n\n\n\n\n     AUG - 7 2009\n\n\nMEMORANDUM FOR: Dr. Patrick Gallagher\n                Deputy Director\n                National Institute of Standards and Technology\n\n\n\nFROM:                        Alle~ r~\n                             Assistant Inspector General\n                              for Systems Acquisition and IT Security\n\nSUBJECT:                     National Institute of Standards and Technology\n                             FY 2009 FISMA Assessment ofManufacturing Engineering\n                             Laboratory Managed Infrastructure (NIST 820-01)\n                             Final Inspection Report No. OSE-19511\n\nThis report presents the results of our Federal Information Security Management Act\n(FISMA) review ofNIST\'s certification and accreditation of the Manufacturing\nEngineering Laboratory Managed Infrastructure.\n\nWe found that NIST\'s C&A process provided the authorizing official sufficient\ninformation to make a credible risk-based decision to approve system operation.\nHowever, the system security plan and control assessments, though generally adequate,\nneed improvement, and our tests of selected security controls identified weaknesses that\nrequire remediation.\n\nIn its response to our draft report, NIST concurred with all our findings and fully\nconcurred with all but one of our recommendations. NIST\'s response is summarized in\nthe appropriate sections of the report where we also provide additional detail on the\nrecommendation that NIST disagreed with and address some other minor points of\ndisagreement. NIST\'s response is included in its entirety as appendix D.\n\nWe request that you provide us with an action plan describing the actions you have taken\nor plan to take in response to our recommendations within 60 calendar days of the date of\nthis report. A plan of action and milestones should be used to communicate the plan as\nrequired by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-1855.\n\x0cAttachment\n\ncc:\t   Suzanne Hilding, chief information officer, U.S. Department of Commerce\n       Simon Szykman, chief information officer, NIST\n       Howard Harary, acting director, Manufacturing Engineering Laboratory, NIST\n       Kenneth R. Glenn, chief, Information Technology Security and Networking\n          Division, NIST\n\x0c                          OIG FY 2009 FISMA Assessment\n\n\nListing of Abbreviated Terms & Acronyms\n\nAO           Authorizing Official\n\n\nC&A          Certification and Accreditation\nCIO          Chief Information Officer\nDISA         Defense Information Systems Agency\n\n\n\n\nFIPS         Federal Information Processing Standards\nFISMA        Federal Information Security Management Act of 2002\nIT           Information Technology\n\n\nMEL          Manufacturing Engineering Laboratory\nNIST         National Institute of Standards and Technology\nOCIO         Office of the Chief Information Officer\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\n\n\nSSP          System Security Plan\nTCP          Transmission Control Protocol\nURL          Uniform Resource Locator\n\n\n\n\n                                      Page 1\n\x0c                                   OIG FY 2009 FISMA Assessment\n\n\n\n\n  Synopsis of Findings\n\n      \xe2\x80\xa2   System security plan was generally adequate but improvements are needed.\n\n      \xe2\x80\xa2   Secure configuration settings were established for operating systems, but not for\n          applications.\n\n      \xe2\x80\xa2   Control assessments were generally adequate but certification weaknesses were\n          found.\n\n      \xe2\x80\xa2   OIG assessments found vulnerabilities requiring remediation.\n\n  Conclusion\n\n      \xe2\x80\xa2   As a result of the Commerce Office of the Chief Information Officer (OCIO) review\n          referred to as the \xe2\x80\x9cSmart Spot Check\xe2\x80\x9d and subsequent improvement of the system\n          C&A package, the authorizing official received sufficient information to make a\n          credible, risk-based decision to approve system operation. Furthermore, continuous\n          monitoring is providing the authorizing official sufficient information about the\n          operational status and effectiveness of security controls. NIST should address the\n          minor deficiencies we identified as part of its continuous monitoring of system\n          security.\n\n\n\nSummary of NIST Response\n\nIn its response to our draft report, NIST concurred with our findings and fully concurred with all\nbut one recommendation. NIST requested that recommendation 2.1 regarding secure\nconfiguration settings be changed to only address the development of secure configuration\nsettings for                    rather than all IT products in the system. NIST also proposed\nseveral modifications to tables 1 and 2 dealing with vulnerabilities identified by our control\nassessments.\n\nIn addition, NIST identified actions it has taken or plans to take to address our recommendations.\nNIST\xe2\x80\x99s written response is included in its entirety as appendix D of this report.\n\nOIG Comments\n\nNIST generally concurred with our findings and all but one of our recommendations. We address\nspecific elements of NIST\xe2\x80\x99s response in the applicable sections of the report and have modified\ntables 1 and 2 based on NIST\xe2\x80\x99s response.\n\n\n\n\n                                               Page 2\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\n\nIntroduction\n The Manufacturing Engineering Laboratory (MEL) Managed Infrastructure supports the\n lab\xe2\x80\x99s mission, which is to satisfy the measurements and standards needs of U.S.\n manufacturers in mechanical and dimensional metrology and advanced manufacturing\n technology by conducting research and development, providing services, and participating\n in standards activities.\n\n The MEL Managed Infrastructure comprises managed workstations, servers, printers, and\n firewalls that provide file sharing, printing, authentication, fileserver access to scientific\n project data, and security services to the laboratory\xe2\x80\x99s staff and guest workers.\n\n NIST has categorized the MEL Managed Infrastructure as a                                ,\n\n\n\n The system was certified and accredited in September 2007 and was reviewed in\n December 2007 by the Department\xe2\x80\x99s OCIO using the Smart Spot Check process. This\n process was created by the Department\xe2\x80\x99s OCIO to determine whether C&A packages\n developed by Commerce operating units conform to the Department\xe2\x80\x99s IT security policy and\n applicable NIST standards and guidelines. Improvements recommended by this review\n were incorporated into the C&A package we evaluated.\n\n\n\n\n                                            Page 3\n\x0c                                  OIG FY 2009 FISMA Assessment\n\nFindings and Recommendations\n\n 1. System Security Plan Was Generally Adequate but Improvements Are\n    Needed\n   \xe2\x80\xa2\t   The system description correctly represented the system components and defined the\n        accreditation boundary.\n          o\t Component listing was accurate.\n          o\t System boundaries and interconnections were clearly defined.\n\n   \xe2\x80\xa2\t   Implementation descriptions for 2 of 23 NIST SP 800-53 security controls we targeted\n        for review need improvement:\n          o\t Unsuccessful Login Attempts (AC-7) does not define the time period during which\n               invalid login attempts are enforced as required by NIST SP 800-53.\n          o\t User Identification and Authentication (IA-2) is identified as a system-specific\n               control but our assessment revealed that it has common control characteristics.\n\n\n                                                                   servers are managed by\n              MEL system administrators. Thus, this control should be identified as a hybrid\n              control in the implementation description.\n\n   \xe2\x80\xa2\t                      software is used by the system administrators for operational\n\n        needs, but appropriate authorizations have not been obtained or documented in the \n\n        SSP. \n\n          o\t Department policy prohibits the use of                                on Commerce\n              IT systems unless it has been explicitly authorized in writing by an operating unit\n              CIO in support of an official Commerce IT application. The policy also requires a\n              copy of each such authorization to be sent to the Commerce CIO.\n\n   \xe2\x80\xa2\t   The authorizing official and the senior agency information security officer had not\n        approved the system security plan (SSP) prior to initiation of the security certification\n        phase.\n          o\t NIST certification and accreditation procedures have been revised to follow NIST\n             800-37, Guide for the Security Certification and Accreditation of Federal\n             Information Systems, which requires approval of the SSP prior to security\n             certification.\n\n Recommendations\n\n   NIST should ensure that\n\n   1.1 the security control descriptions in the SSP are accurate and complete; and\n\n   1.2 waivers or special authorizations are obtained and documented in accordance with \n\n       Department policy. \n\n\n\n\nNIST Response\n\nNIST concurred with this finding and our recommendations.\n\n\n\n\n                                              Page 4\n\x0c                                   OIG FY 2009 FISMA Assessment\n\n\n  2. Secure Configuration Settings Were Established for Operating\n     Systems, but Not for Applications\n        Background: The Department\xe2\x80\x99s IT security policy and NIST SP 800-53 require\n        establishing and assessing secure configuration settings for IT products, which include\n        operating systems for system components (such as servers, desktops, laptops, routers,\n        and switches) and applications (such as e-mail, web, VPN, firewall, intrusion detection,\n        database, and antivirus). FISMA and OMB guidance also highlight the importance of\n        secure configuration settings. Implementing and maintaining secure configuration\n        settings is one of the most effective ways of negating threats.\n\n    \xe2\x80\xa2     Secure configuration settings and system-specific deviations were established and\n          assessed for the following:\n\n\n\n\n    \xe2\x80\xa2     However, NIST did not establish secure configuration settings for\n          and                 , two applications for which standardized configuration settings\n          are available.\n\n Recommendation\n\n    2.1 NIST should ensure that secure configuration settings are established, implemented,\n        and assessed for all IT products in the system accreditation boundary in accordance\n        with NIST SP 800-70, Security Configuration Checklists Program for IT Products.\n\n\n\nNIST Response\n\nNIST concurred with this finding but did not fully concur with this recommendation. NIST\nrequested that it be changed to \xe2\x80\x9cNIST should ensure that secure configuration settings are\nestablished, implemented, and assessed for                              for this system in\naccordance with NIST SP 800-70, Security Configuration Checklists Program for IT Products.\xe2\x80\x9d\n\nOIG Comments\n\nNIST\xe2\x80\x99s suggested change indicates its willingness to establish secure configuration settings for\nonly                    \xe2\x80\x94IT products for which secure configuration guides or checklists are\nreadily available. In addition to                    , MEL employs IT products such as\n                                                                           , which have configurable\nparameters that impact the security of the system; however, NIST has not established secure\nconfiguration settings for these products. Our recommendation that NIST establish secure\nconfiguration settings for all IT products is consistent with the NIST SP-800-53 control\nrequirement (Configuration Settings (CM-6)) that organizations establish \xe2\x80\x9cmandatory\nconfiguration settings for information technology products employed within the information\nsystem [emphasis added].\xe2\x80\x9d\n\nWe recognize that configuration guides or checklists that can be tailored might not be readily\navailable for some IT products employed within MEL. However, the current Department IT\nsecurity policy, updated March 2009, indicates operating units \xe2\x80\x9cshall use [NIST] SP 800-70 to\ndevelop configuration setting checklists for IT products for which none are available.\xe2\x80\x9d\n\nWe therefore reaffirm our recommendation.\n\n                                               Page 5\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n  3. Control Assessments Were Generally Adequate but Certification\n     Weaknesses Were Found\n  The initial certification and accreditation package was completed in September 2007. After\n  the system was accredited, the package underwent the Department\xe2\x80\x99s Smart Spot Check\n  review process and the documentation was updated to address certification deficiencies that\n  were identified. Continuous monitoring activities were also conducted in July 2008. We\n  reviewed security control assessments from the updated package and evaluated continuous\n  monitoring results.\n\n   \xe2\x80\xa2\t   We reviewed certification assessments for a targeted set of 23 NIST SP 800-53\n        security controls and determined the following were not properly assessed on all IT\n        products.\n          o\t SSP control implementation descriptions state that spam controls are\n              implemented on                       . But Spam and Spyware (SI-8) assessment\n              did not evaluate                               .\n          o\n\n\n                                                                                         (See\n             finding 4.)\n          o\t Authenticator Management (IA-5) requires that default authenticators (e.g.,\n             passwords) be changed. Assessment procedures called for determining whether\n             default authenticators are present but the                        were not\n             evaluated.\n                \xc2\x83\t We assessed the            for default authenticators and found they had\n                    been changed.\n\n   \xe2\x80\xa2\t   To evaluate FY08 continuous monitoring we reviewed all control assessments and\n        found that\n          o\t controls required by NIST\xe2\x80\x99s continuous monitoring policy were assessed;\n          o\t assessment procedures were developed and used to evaluate controls\n              implemented on specific system components;\n          o\t assessment results provided sufficient detail to support the outcome of\n              assessment procedures; and\n          o\t vulnerabilities identified during continuous monitoring were appropriately\n              resolved, and the authorizing official was made aware of the results of the\n              continuous monitoring effort.\n\n  Recommendations\n\n   NIST should ensure that assessments\n\n   3.1 address all aspects of the control as it is implemented in the system; and\n\n   3.2 are applied to all applicable IT products.\n\n\n\nNIST Response\n\nNIST concurred with this finding and our recommendations\n\n\n\n\n                                              Page 6\n\x0c                                  OIG FY 2009 FISMA Assessment\n\n\n   4. OIG Assessments Found Vulnerabilities Requiring Remediation\n As part of OIG\xe2\x80\x99s FY09 FISMA evaluation of the MEL Managed Infrastructure, we assessed a\n targeted set of system components to determine if selected security controls are properly\n implemented. We tailored our procedures to the infrastructure\xe2\x80\x99s specific control\n implementations.\n\n  Our assessments found the following vulnerabilities:\n\n\n\n\n Recommendations\n\n  NIST should\n\n  4.1 ensure the vulnerabilities we identified are added to the system\xe2\x80\x99s plan of action and\n      milestones and either remediated or accepted by the authorizing official; and\n\n  4.2 review the configuration settings that are not compliant with established checklists and\n      correct them, document them as deviations, or incorporate them into the secure\n      checklist.\n\n\n\n\nNIST Response\n\nNIST concurred with this finding and our recommendations but took exception to several entries\nin tables 1 and 2.\n\nFor the entry related to setting #18 in table 1, NIST noted that the deviation from the default\nsetting for the component             is required to allow access to                       and that\nthe deviation for authentication servers has now been documented in its secure configuration\n                   .\n\n\n                                              Page 7\n\x0c                                  OIG FY 2009 FISMA Assessment\n\nFor table 2, NIST indicated that the \xe2\x80\x9c      \xe2\x80\x9d service needs to be enabled for three of the\ncomponents we identified. NIST also requested we remove the fully-qualified host name for the\ncomponent              \xe2\x80\x9d\n\nOIG Comments\n\nWe added a note to table 1 to indicate that NIST reported documenting a deviation from setting\n#18 in its established checklist.\n\nWe deleted from table 2 the three components NIST identified as requiring the                service\nand removed the fully-qualified host name for                because it is not needed to address the\n                               vulnerability we identified for that component.\n\n\n\n\n                                              Page 8\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 1. Secure Configuration Settings That Are Not Compliant With Established Checklists\n\n\n\n\n                                                               Page 9\n\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified Through OIG System Scanning Using Nessus\n\nVulnerability              Port                Component                       OIG Comments\n\n\n\n\n                                                             Page 10\n\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2009 FISMA reporting requirements, we evaluated the NIST certification and\naccreditation for the Manufacturing Engineering Laboratory (MEL) Managed Infrastructure\n(NIST 820-01).\nSecurity certification and accreditation packages contain three elements, which form the basis\nof an authorizing official\xe2\x80\x99s decision to accredit a system.\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones is based on the results of the security assessment.\n        It documents actions taken or planned to address remaining vulnerabilities in the\n        system.\n\nCommerce\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards requires\nthat C&A packages contain a certification documentation package of supporting evidence of\nthe adequacy of the security assessment. Two important components of this documentation\nare:\n\n    \xe2\x80\xa2   The certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements.\n    \xe2\x80\xa2   The certification test results, which is the raw data collected during the\n        assessment.\n\nTo evaluate the certification and accreditation, we reviewed all components of the package\nand interviewed NIST staff to clarify any apparent omissions or discrepancies in the\ndocumentation and gain further insight on the extent of the security assessment. We\nevaluated the system security plan descriptions and security assessment results for a\ntargeted set of security controls and will give substantial weight to the evidence that supports\nthe rigor of the security assessment when reporting our findings to OMB. (See appendix B for\nthe controls we evaluated.)\n\nIn addition, we performed our own security control assessments on MEL Managed\nInfrastructure components. We chose a subset of the controls specified in NIST SP 800-53\nfor a moderate-impact system, and a subset of procedures from NIST SP 800-53A, which we\ntailored to NIST\xe2\x80\x99s specific control implementations. We did not attempt to perform a complete\nassessment of each control; instead we chose to focus on specific aspects of some of the\nmore important technical and operational controls. (See appendix C for the controls we\nassessed on MEL Managed Infrastructure components.)\n\nWe assessed controls on key classes of IT components and applications, choosing a targeted\nset of components from each class that would allow for direct comparison with NIST\xe2\x80\x99s\ncertification test results. We assessed control implementations on five\n\n                                                                                  components.\nIn addition, we examined the security plan descriptions, including related policy documents,\nand interviewed appropriate NIST personnel.\n\nOur assessments included the following activities:\n\n\n                                            Page 11\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\n    \xe2\x80\xa2\t   Extraction, examination, and verification of system configurations\n    \xe2\x80\xa2\t   Generation of system events and examination of system logs\n    \xe2\x80\xa2\t   Execution of DISA (Gold Disk) and NIST scripts\n    \xe2\x80\xa2\t   Addition, modification, and deletion of operating system accounts\n    \xe2\x80\xa2\t   Execution and analysis of Nessus vulnerability scans\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a             system would require. However, our\nassessments gave us direct assurance of the status of select aspects of important controls in\nMEL Managed Infrastructure and provided meaningful comparison to NIST\xe2\x80\x99s security\ncertification.\n\nWe used the following review criteria:\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2\t U.S. Department of Commerce, IT Security Program Policy and Minimum \n\n      Implementation Standards, June 30, 2005 \n\n   \xe2\x80\xa2\t NIST\xe2\x80\x99s Federal Information Processing Standards (FIPS)\n           o\t Publication 199, Standards for Security Categorization of Federal Information\n                and Information Systems\n           o\t Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2\t NIST Special Publications:\n           o\t 800-18, Guide for Developing Security Plans for Information Technology\n                Systems\n           o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                Information Systems\n           o\t 800-53, Recommended Security Controls for Federal Information Systems\n           o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n                Systems\n           o\t 800-70, Security Configuration Checklists Program for IT Products\n           o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (rev. January 2005) issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                            Page 12\n\x0c                            OIG FY 2009 FISMA Assessment\n\n\nAppendix B: Targeted Set of NIST SP 800-53 Security Controls\nEvaluated During OIG Review of MEL Managed Infrastructure System\nSecurity Plan and Security Assessment Results\n\n  \xe2\x80\xa2   Account Management (AC-2)\n  \xe2\x80\xa2   Unsuccessful Login Attempts (AC-7)\n  \xe2\x80\xa2   System Use Notification (AC-8)\n  \xe2\x80\xa2   Session Lock (AC-11)\n  \xe2\x80\xa2   Session Termination (AC-12)\n  \xe2\x80\xa2   Wireless Access Restrictions (AC-18)\n  \xe2\x80\xa2   Auditable Events (AU-2)\n  \xe2\x80\xa2   Response to Audit Processing Failures (AU-5)\n  \xe2\x80\xa2   Time Stamps (AU-8)\n  \xe2\x80\xa2   Configuration Settings (CM-6)\n  \xe2\x80\xa2   Least Functionality (CM-7)\n  \xe2\x80\xa2   User Identification and Authentication (IA-2)\n  \xe2\x80\xa2   Authenticator Management (IA-5)\n  \xe2\x80\xa2   Water Damage Protection (PE-15)\n  \xe2\x80\xa2   Rules of Behavior (PL-4)\n  \xe2\x80\xa2   Vulnerability Scanning (RA-5)\n  \xe2\x80\xa2   User Installed Software (SA-7)\n  \xe2\x80\xa2   Boundary Protection (SC-7)\n  \xe2\x80\xa2   Mobile Code (SC-18)\n  \xe2\x80\xa2   Flaw Remediation (SI-2)\n  \xe2\x80\xa2   Malicious Code Protection (SI-3)\n  \xe2\x80\xa2   Information System Monitoring Tools and Techniques (SI-4)\n  \xe2\x80\xa2   Spam Protection (SI-8)\n\n\n\n\n                                       Page 13\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\nAppendix C: NIST SP 800-53 Security Controls Assessed by OIG on MEL\nManaged Infrastructure Components\n\n  \xe2\x80\xa2   Account Management (AC-2)\n  \xe2\x80\xa2   Unsuccessful Login Attempts (AC-7)\n  \xe2\x80\xa2   System Use Notification (AC-8)\n  \xe2\x80\xa2   Session Lock (AC-11)\n  \xe2\x80\xa2   Auditable Events (AU-2)\n  \xe2\x80\xa2   Time Stamps (AU-8)\n  \xe2\x80\xa2   Configuration Settings (CM-6)\n  \xe2\x80\xa2   Least Functionality (CM-7)\n  \xe2\x80\xa2   User Identification and Authentication (IA-2)\n  \xe2\x80\xa2   Authenticator Management (IA-5)\n  \xe2\x80\xa2   Rules of Behavior (PL-4)\n  \xe2\x80\xa2   User Installed Software (SA-7)\n  \xe2\x80\xa2   Mobile Code (SC-18)\n  \xe2\x80\xa2   Flaw Remediation (SI-2)\n  \xe2\x80\xa2   Malicious Code Protection (SI-3)\n\n\n\n\n                                         Page 14\n\x0c                                                    UNITED STATES DEPARTMENT OF COMMERCE\n                                                    National Institute of Standards and Technology\n                                                    Gaithersburg, Maryland 20899-0001\n                                                    OFFICE OF THE DIRECTOR\n\n\n\n\n  JUL 10 2009\n\n\nMEMORANDUM FOR Allen Crawley\n               Assistant Inspector General\n                    for Systems Acquisition and IT Security\n\nFrom:\t         Patrick Gallagher\n               Deputy Director\n                                   11\n                                   ~~\n                                      C "\n                                       <;/f\'\'-\xc2\xad     "/\n\nSubject:\t     NIST Comments in Response to Draft Inspection Report No. OSE-19511 Entitled\n              "FY 2009 FISMA Assessment ofManufacturing Engineering Laboratory\n              Managed Infrastructure" (NIST 820-01), Draft Inspection Report No. OSE-19511\n\nI would like to thank you for the opportunity to comment on your Draft Inspection Report No.\nOSE-19511, entitled "FY 2009 FISMA Assessment ofManufacturing Engineering Laboratory\nManaged Infrastructure" (NIST 820-01). In addition, I would like to compliment you on the\nthoroughness of your review.\n\nNIST concurs with the majority of recommendations made in your draft report, and I assure you\nwe will take all steps necessary to implement your recommendations. In the few cases where\nNIST does not fully concur with your recommendations, we have suggested that the language of\nthe recommendation be changed, or we note that the recommendation is no longer appropriate\ndue to changes in systems administration or configuration. NIST comments on the draft\ninspection report are found in the attachment to this letter.\n\nAgain, I would like to thank you for the opportunity to comment on this draft report, and assure\nyou that NIST will implement your recommendations as soon a possible. If you have any\nquestions concerning this response, please contact Stephen Willett on (301) 975-8707. Your\nefforts to improve NIST systems security are greatly appreciated.\n\nAttachment\n\n\n\n\n                                                                                        NISr\n\n\x0cResponse to FY 2009 FISMA Assessment of Manufacturing Engineering Laboratory\nManaged Infrastructure (NIST 820-01)\nDraft Inspection Report No. OSE-19511/May 2009\nComments due June 12, 2009\n\n\n\n1. System Security Plan Was Generally Adequate but Improvements Are Needed\n\nRecommendations\nNIST should ensure that\n1.1 the security control descriptions in the SSP are accurate and complete; and\n1.2 waivers or special authorizations are obtained and documented in accordance with Department policy.\n\nNIST Response\n        NIST concurs with these findings and recommendations. See below for detailed responses.\n\n                                                                    NIST/MEL Remediation\n              OIG Documented Deficiency                                                             Testing Evidence and References\n                                                                       Plan/Justification\nSystem Security Plan:                                              Corrected the MEL Procedures\n                             Unsuccessful Login Attempts (AC-\nImplementation description                                         referenced in the SSP for this\n                             7) does not define the time period\nfor two of twenty-three                                            system. Corrected procedures\n                             during which invalid login attempts                                    See System Security Plan for 820-01.\nNIST SP 800-53 security                                            included with the system\n                             are enforced as required by NIST\ncontrols we targeted for                                           documentation on the NIST\n                             SP 800-53\nreview need improvement                                            OCIO secure share.\n\n\n\n\n                                                                                                                                           Page 1 of 10\n\x0c                                User Identification and\n                                Authentication (IA-2) is identified\n                                as a system-specific control but our\n                                assessment revealed that it has\n                                common control characteristics.\n\n\n                                                                       Corrected in the System Security\n                                                                       Plan for 820-01 for the FY09       See System Security Plan for 820-01.\n                                                                       annual assessment.\n\n                                                     servers are\n                                managed by MEL system\n                                administrators. Thus, this control\n                                should be identified as a hybrid\n                                control in the implementation\n                                description.\n                                Department policy prohibits the use\n                                of                               on\n                    software\n                                Commerce IT systems unless it has\nis used by the system\n                                been explicitly authorized in          The NIST CIO\xe2\x80\x99s office is\nadministrators for\n                                writing by an operating unit CIO in    currently drafting appropriate\noperational needs, but                                                                                    Appropriate authorizations will be obtained.\n                                support of an official Commerce IT     authorizations for specific and\nappropriate authorizations\n                                application. The policy also           necessary use of\nhave not been obtained or\n                                requires a copy of each such\ndocumented in the SSP.\n                                authorization to be sent to the\n                                Commerce CIO.\n                                                                       NIST certification and\n                                                                       accreditation procedures have\n                                                                       been revised to follow NIST 800-\nThe authorizing official and the senior agency information security    37, Guide for the Security\nofficer had not approved the system security plan (SSP) prior to       Certification and Accreditation\ninitiation of the security certification phase.                        of Federal Information Systems,\n                                                                       which requires approval of the\n                                                                       SSP prior to security\n                                                                       certification.\n\n\n\n\n                                                                                                                                                         Page 2 of 10\n\x0c2. Secure Configuration Settings Were Established for Operating Systems, but Not for Applications\n\nRecommendation\n2.3 NIST should ensure that secure configuration settings are established, implemented, and assessed for all IT products in the system\n    accreditation boundary in accordance with NIST SP 800-70, Security Configuration Checklists Program for IT Products.\n\nNIST Response\n         NIST concurs with this finding, but does not concur with the wording for this recommendation. Requested wording detailed\n           red below.\n    in\n                                                                  NIST/MEL Remediation\nOIG Documented Deficiency                                                                                      Testing Evidence and References\n                                                                     Plan/Justification\n                                                                                                     See CIS and DISA websites for checklists.\n                                                                                                     See recently accredited NIST systems for examples of use of\n                                                                 NIST currently uses established     such checklists at NIST. An example is SSP 181-04, where\n                                                                 secure configuration settings for   CIS checklists were used for both\n                                                                 applications where standardized     The next testing cycle for 820-01 will use such checklists.\nNIST did not establish secure configuration settings for\n                                                                 configuration settings are\n                                    two applications for which\n                                                                 available such as                   NIST requests that the recommendation be changed to read:\nstandardized configuration settings are available\n                                                                         NIST is currently using     \xe2\x80\x9cNIST should ensure that secure configuration settings are\n                                                                 established secure configuration    established, implemented, and assessed for\n                                                                 settings from CIS and DISA.                     for this system in accordance with NIST SP 800-\n                                                                                                     70, Security Configuration Checklists Program for IT\n                                                                                                     Products.\xe2\x80\x9d\n\n\n\n\n                                                                                                                                                    Page 3 of 10\n\x0c3. Control Assessments Were Generally Adequate but Certification Weaknesses Were Found\n\nRecommendations\nNIST should ensure that assessments\n3.1 address all aspects of the control as it is implemented in the system; and\n3.2 are applied to all applicable IT products.\n\nNIST Response\n         NIST concurs with these findings and these recommendations. See below for detailed responses.\n\n                                                                                        NIST/MEL\nOIG Documented Deficiency                                                              Remediation               Testing Evidence and References\n                                                                                     Plan/Justification\n                                                                                  The NIST CIO\xe2\x80\x99s office will\n                                    SSP control implementation descriptions\n                                                                                  ensure that\n                                    state that spam controls are implemented\n                                    on                     , but Spam and\n                                                                                                   during the\n                                    Spyware (SI-8) assessment did not\n                                                                                  next testing cycle for 820-\n                                    evaluate\n                                                                                  01.\n\n\n\n                                                                                  There is a current NIST\nWe reviewed certification                                                         CIO POA&M to address\nassessments for a targeted set of                                                 this issue NIST wide.\ntwenty-three NIST SP 800-53\nsecurity controls and determined\nthe following were not properly\nassessed on all IT products.        Authenticator Management (IA-5)\n                                    requires that default authenticators (e.g.,\n                                    passwords) be changed. Assessment\n                                    procedures called for determining             The NIST CIO\xe2\x80\x99s office will\n                                    whether default authenticators are present    ensure that the\n                                    but the                           were not                    are properly\n                                    evaluated.                                    evaluated for 820-01\xe2\x80\x99s next\n                                         \xe2\x80\xa2 We assessed the              for       testing cycle.\n                                             default authenticators and found\n                                             they had been changed.\n\n\n                                                                                                                                            Page 4 of 10\n\x0c4. OIG Assessments Found Vulnerabilities Requiring Remediation\n\nRecommendations\nNIST should\n4.1 ensure the vulnerabilities we identified are added to the system\xe2\x80\x99s plan of action and milestones and either remediated or accepted by the\n    authorizing official; and\n4.2 review the configuration settings that are not compliant with established checklists and correct them, document them as deviations, or\n    incorporate them into the secure checklist.\n\nNIST Response\n       NIST concurs with these findings and these recommendations, with the exception of deviations documented in red below.\n       Additionally NIST requests the removal of the fully qualified hostname from the final report (see note in Table 2 below).\n       See below for detailed responses.\n\n                                                             NIST/MEL Remediation\nOIG Documented Deficiency                                                                             Testing Evidence and References\n                                                                Plan/Justification\n\n\n\n                                                                      The MEL IT Security\n                                                           Officer briefed the System\n                                                           Owner on the complete list of\n\n                                                                              and what was\n                                                           considered valid due to business\n                                                           justification.\n\n\n\n\n                                                                                                                                       Page 5 of 10\n\x0c                                                    There is a current NIST CIO\n                                                    POA&M to address this issue\n                                                    NIST wide.\n\n\n\n\nNoncompliant configuration\nsettings. Secure configuration                      See Table 1 below for specific\n                                     See Table 1\nsettings are not compliant with                     responses.\nestablished checklists.\nOther vulnerabilities. Our\nscanning using Nessus found\nseveral vulnerabilities, including                  See Table 2 below for specific\n                                     See Table 2\n                                                    responses.\n\n\n\nTable 1. Secure Configuration Settings That Are Not Compliant With Established Checklists\n\nOperating       Component            Noncompliant   Remediation Plan                 Justification or Testing Evidence\n System           Name                 Settings\n\n\n\n\n                                                                                                                         Page 6 of 10\n\x0cPage 7 of 10\n\n\n\n\n               \n\n\x0cPage 8 of 10\n\n\n\n\n               \n\n\x0cTable 2. Vulnerabilities Identified Through OIG System Scanning Using Nessus\n\n  Vulnerability   Port    Component        OIG Comments            NIST Remediation Plan   Justification\n\n\n\n\n                                                                                                   Page 9 of 10\n\n\n\n\n                                                                                                                  \n\n\x0cPage 10 of 10\n\n\n\n\n                \n\n\x0c'